Issues and solutions in email evidence.
Email evidence can prove valuable to a case. However, it is important to thoroughly authenticate emails used in litigation. Failure to prove the validity of an email item could render a crucial piece of evidence inadmissible in court.
Standalone email content from a sender that is provided in the form of text within an email chain may be deemed hearsay. It is easy for any user to modify content included within a reply or forward chain — this content is replicated with each reply but not preserved, allowing anyone in the chain to change the email content in their copy before forwarding it along.
A single email can be validated based on confirmation from other email sources. When an email message is successfully sent, at least three records will be generated — the sender’s email message, the recipient’s email message, and the message logged on the email servers through which it is sent. These other records or logs help assert that the email was transmitted and that all metadata (recipient, sender, attached files, email format) aligns with corresponding records maintained by other custodians or other devices.
Deleted emails provide an additional redundant record that aligns with email copies maintained by another custodian or on another server. If an email has been deleted from a computer, it may still be recovered using forensic tools. Eventually, this data will be overwritten by the file system. Analysis of a forensic image of a device could discover this record in situations where examining a live email account is less effective.
The use of email applications on mobile devices is common with the adoption of BYOD (Bring Your Own Device) policies. Email copies maintained on these devices can provide an additional source of corroborative email evidence.
One tactic used to undermine email evidence is to question the true author of the message. Anyone with the email password or access to a logged-in device can send a message from someone else’s account. Techniques such as email spoofing might give an email the appearance of having been sent from one address when it is actually sent from another address for malicious purposes.
Solution: Header and Contextual Analysis
Authorship must be demonstrated through both the email header metadata and the content of the email itself. Email header information is built from the path the email takes. Like a letter sent to several acquaintances, each piece of mail is its own document with addressing and return-addressing, even if the content is the same. Analysis will include validating and building on this information by investigating the Received, Sender, Return-Path, Content-Type, and other header fields that reveal detailed information about the communication.
An email header commonly contains a DKIM signature. DKIM (DomainKeys Identified Mail) is a way of verifying that an email from a domain was authorized to come from that source. An email that can be DKIM-authenticated will contain a cryptographic signature key in the email header field that is checked against the asserted domain’s public signature. This allows email servers to ensure that messages were not tampered with.
Emails must be examined contextually within the chain of a conversation and the system on which they were generated. By obtaining a forensic image of the device from which an email was sent, data indicating login times, internet behavior, and credentials used might be retrieved to compare with expected user behavior. The legal framework surrounding email authentication is nuanced. For example, FRE Rule 803(6) provides that when a document is generated according to regular activities conducted by a business or organization it may be excepted from the rule against hearsay. If an email is sent when a user is expected to be present at a workstation and sent with a business-associated email signature, this email may be authenticated as a regular business record.